August 2025
Singapore has lifted its cyber-threat alert and will soon require all critical infrastructure operators to report advanced-persistent-threat (APT) incidents - moves shaped by the ongoing UNC3886 campaign against national systems.
Here’s the simple takeaway: a single break-in isn’t what hurts you most - what happens after the break-in does. That “after” is called lateral movement: when an intruder fans out from one compromised system to many, turning a spark into a wildfire. Stopping that spread is the fastest, most cost-effective way to protect business operations.
One foothold can reach dozens of services. UNC3886 is known to “live in the infrastructure” - targeting virtualisation and network gear that sit under many critical apps. From there, they move sideways to find sensitive systems and data.
Walls don’t matter if the attacker is already inside. Some techniques even let an attacker jump from a hypervisor straight into guest VMs, bypassing network controls - so the blast radius grows quickly.
Traditional tools miss what they can’t see. Much of this sideways activity hides in places where endpoint agents can’t run, or inside encrypted east-west traffic. That’s why visibility beyond endpoints is crucial.
Attackers love hiding in encrypted and lateral traffic. Deep observability lets security tools see what matters - without breaking encryption everywhere - so you can spot unusual movement early.
Outcome: Fewer blind spots, better signal to your existing security stack, and quicker identification of “patient zero.”
Matrium focuses on attacker behaviours (recon, lateral movement, privilege abuse) across network, identity, and cloud - so you see the actions every intruder must take, even when tools and malware change. The platform also collapses noisy alerts into a single, high-urgency incident, cutting through up to 99% of alert noise and surfacing what truly matters.
Outcome: Faster triage and response; attacker dwell time drops from months to minutes when paired with automation.
Zero Trust Segmentation (micro-segmentation) makes your network behave like a series of fire-compartments: compromise in one area doesn’t spread to the rest. When policies are defined by application flows - not IPs - blocking suspicious east-west movement becomes a fast, low-drama control the SOC can trust.
Outcome: A small incident stays small. Recovery is quicker, cheaper, and far less disruptive.
Where can attackers move if they got in today? Map “crown-jewel adjacency” and apply segmentation to shrink the blast radius.
Can we see lateral movement in encrypted/east-west traffic? Add deep observability to feed your security tools with the right data.
Are we detecting behaviours, not just signatures? Use behaviour-led detection so hypervisor - or appliance - level intrusions don’t slip by.
How quickly can we contain? Pre-wire playbooks that isolate hosts and accounts the moment lateral movement is spotted.
Singapore’s heightened alert and upcoming requirement for CII owners to report APT incidents underscore a simple truth: these threats are already here, and speed matters. Experts are aligned: you need broad, timely visibility and controls that make lateral movement hard.
Matrium helps organisations see, detect, and contain lateral movement cybersecurity threats - without needing to rip and replace your stack. If you’d like a quick review of your current blast radius and practical next steps, we can get you an action plan aligned to your environment and regulatory obligations.